---
sidebar_label: Transform
description: >-
  Part of OpenBao's Advanced Data Protection solution, protecting sensitive information
  stored outside of OpenBao.
---

# Transform secrets engine

Part of OpenBao's Advanced Data Protection solutions, Transform provides mechanisms
for _transforming_ sensitive information to protect it even as it lives outside
OpenBao's sphere.

Transform consists of three modes, called _transformations_. Format Preserving
Encryption (**FPE**) for encrypting and decrypting values while retaining their
formats. **Masking** for replacing sensitive information with masking
characters. And **Tokenization** which replaces sensitive information with
mathematically unrelated tokens.

## Comparison to transit

Transit implements many traditional cryptographic primitives, such as AES encryption and
RSA signatures (among others). Transform implements solutions to protect sensitive
values in more narrow, but still critical use cases.

## What solution when?

When should one use a particular transform or transit encryption? Based on your
use case and its requirements, this flowchart can help you choose the right
solution.

![Transit vs Transform](/img/transit-or-transform.png)

Keep in mind that unlike all other solutions, Tokenization is stateful, and all
values must be stored either within OpenBao or a supported external store. As such
all other solutions will outperform and outscale tokenization.
